The Jenkins default form control for passwords and other secrets, <f:password/>, supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. External References: https://jenkins.io/security/advisory/2017-10-11/
Created jenkins tracking bugs for this issue: Affects: openshift-1 [bug 1501972]
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1558869]